Skip to content

M1006 Use Recent OS Version

New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.

Item Value
ID M1006
Version 1.0
Created 25 October 2017
Last Modified 17 October 2018
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
mobile T1433 Access Call Log Decrease likelihood of successful privilege escalation attack.
mobile T1413 Access Sensitive Data in Device Logs Starting in Android 4.1, this technique requires privilege escalation for malicious applications to perform, as apps can no longer access the system log (other than log entries added by a particular app itself). (Additionally, with physical access to the device, the system log could be accessed via USB through the Android Debug Bridge.)4
mobile T1409 Access Stored Application Data Most new versions of mobile operating systems include patches to newly discovered privilege escalation exploits used to root or jailbreak devices. Further, applications that target Android API level 28 or higher on Android 9.0 and above devices have a policy applied that prevents other applications from reading or writing data in their internal storage directories, regardless of file permissions.5
mobile T1427 Attack PC via USB Connection -
mobile T1402 Broadcast Receivers In Android 8, broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest.13
mobile T1429 Capture Audio Android 9 and above restricts access to microphone, camera, and other sensors from background applications.11
mobile T1512 Capture Camera Android 9 and above restricts access to mic, camera, and other sensors from background applications.11
mobile T1414 Capture Clipboard Data Android 10 prevents applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).10
mobile T1412 Capture SMS Messages -
mobile T1448 Carrier Billing Fraud Starting with Android 4.2 the user must provide consent before applications can send SMS messages to premium numbers.6
mobile T1510 Clipboard Modification Android 10 prevents applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).10
mobile T1577 Compromise Application Executable Many vulnerabilities related to injecting code into existing applications have been patched in previous Android releases.
mobile T1401 Device Administrator Permissions Changes were introduced in Android 7 to make abuse of device administrator permissions more difficult.7
mobile T1446 Device Lockout -
mobile T1407 Download New Code at Runtime On Android 10 and above devices, applications that target Android API level 29 or higher cannot execute native code stored in the application’s internal data storage directory, limiting the ability of applications to download and execute native code at runtime.12
mobile T1456 Drive-by Compromise -
mobile T1404 Exploit OS Vulnerability -
mobile T1405 Exploit TEE Vulnerability -
mobile T1458 Exploit via Charging Station or PC Newer OS versions generally will include security patches against discovered vulnerabilities that become known to the vendor. Additionally, iOS 11.4.1 and higher introduce USB Restricted Mode, which under certain conditions disables data access through the device’s charging port (making the port only usable for power), likely preventing this technique from working.9
mobile T1477 Exploit via Radio Interfaces -
mobile T1420 File and Directory Discovery Increase difficulty of escalating privileges, as security architecture improvements in each new version of Android and iOS make it more difficult to escalate privileges. Additionally, newer versions of Android have strengthened the sandboxing applied to applications, restricting their ability to enumerate file system contents.
mobile T1581 Geofencing New OS releases frequently contain additional limitations or controls around device location access.
mobile T1411 Input Prompt -
mobile T1478 Install Insecure or Malicious Configuration iOS 10.3 and higher add an additional step for users to install new trusted CA certificates to make it more difficult to trick users into installing them. On Android, apps that target compatibility with Android 7 and higher (API Level 24) default to only trusting CA certificates that are bundled with the operating system, not CA certificates that are added by the user or administrator, hence decreasing their susceptibility to successful adversary-in-the-middle attack.12
mobile T1579 Keychain Newer OS releases typically patch known root exploits disclosed in previous versions.
mobile T1461 Lockscreen Bypass -
mobile T1403 Modify Cached Executable Code For applications running on Android 10 and higher devices, application developers can indicate that DEX code should always be executed directly from the application package.8
mobile T1410 Network Traffic Capture or Redirection -
mobile T1424 Process Discovery As stated in the technical description, Android 7 and above prevent applications from accessing this information.
mobile T1422 System Network Configuration Discovery Starting in Android 6.0, applications can no longer access MAC addresses of network interfaces.3
mobile T1416 URI Hijacking iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.14

References


  1. Brian Duckering. (2017, March 27). Apple iOS 10.3 Finally Battles Malicious Profiles. Retrieved September 24, 2018. 

  2. Chad Brubaker. (2016, July 7). Changes to Trusted Certificate Authorities in Android Nougat. Retrieved September 24, 2018. 

  3. Android. (n.d.). Android 6.0 Changes. Retrieved December 21, 2016. 

  4. Dianne Hackborn. (2012, July 12). Re: READ_LOGS permission is not granted to 3rd party applications in Jelly Bean (api 16). Retrieved December 21, 2016. 

  5. Google. (n.d.). Behavior changes: apps targeting API level 28+. Retrieved September 18, 2019. 

  6. Google. (2014). Android Security 2014 Year in Review. Retrieved December 12, 2016. 

  7. Adrian Ludwig. (2016, May 19). What’s new in Android security (M and N Version). Retrieved December 9, 2016. 

  8. Android Developers. (n.d.). Run embedded DEX code directly from APK. Retrieved September 20, 2019. 

  9. Oleg Afonin. (2018, September 20). iOS 12 Enhances USB Restricted Mode. Retrieved September 21, 2018. 

  10. Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019. 

  11. Android Developers. (, January). Android 9+ Privacy Changes . Retrieved August 27, 2019. 

  12. Android Developers. (n.d.). Behavior changes: all apps - Removed execute permission for app home directory. Retrieved September 20, 2019. 

  13. Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020. 

  14. L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020. 

Back to top